Risk-based Audit Plan

1. Introduction

1.1 Background

1.2 Objectives and Approach

2. Identified Key Risks

3. Risk-based Audit Plan

3.1 2008-2010 Audit Activities

Appendix A – Audit Charter

1 Introduction

1.1 Background

The Information Commissioner and his Office are subject to requirements of Treasury Board’s (“TB”) new Policy on Internal Audit, which came into effect on April 1, 2006. Policy requirements include the establishment of an Internal Audit function and an independent Audit Committee, the appointment of a Chief Audit Executive, and the approval of an internal audit plan.

The Officers of Parliament created a working group to jointly develop approaches to enable the offices to apply the principles of the internal audit policy while respecting their independence from the government. The Working Group of Officers of Parliament have agreed that the intent of the government’s Internal Audit Policy shall be reflected in the Internal Audit systems, processes and infrastructure within each Office of Parliament, but taking account of their status of independence, their relatively small size and the oversight role played by the Parliamentary Advisory Panel on the funding of Officers of Parliament.

The Office of the Information Commissioner (“OIC”) has engaged Deloitte & Touche LLP (“Deloitte”) to assist with the provision of required internal audit services for fiscal year 2008/2009. Services to be provided by Deloitte include:

• the development of an OIC specific Internal Audit Charter;
• development of a risk-based audit plan (“RBAP”);
• the conduct of 1-2 audits between April 2008 and March 2009.

This document represents OIC’s RBAP which identifies and prioritizes potential audits over the next 3 fiscal years based on the key risks or challenges facing the OIC. Appendix A provides OIC’s internal audit charter which has been customized to reflect OIC’s context and provides more information on Deloitte’s roles and responsibilities. Note that the RBAP is aligned with the internal audit principles as outlined within the internal audit charter.

Top of Page

1.2 Objectives and Approach

Risk-based auditing begins by identifying and understanding organizational objectives, and then considers the risks that impact on the achievement of those objectives and the activities in place to mitigate those risks.

The purposes of the risk-based audit plan are to:

• determine the priorities for Internal Audit based on risks and exposures that may affect the organization;
• set out the audit program and time frame needed for the completion of internal audits; and
• provide a basis for presentation of the RBAP to the Audit Committee for their review and approval.

The approach used to develop the RBAP is described below.

It should be noted that, in selecting audits for completion, the OIC’s current context was a key consideration – that is, OIC has undergone significant transformation and has developed (or is in the process of developing) a number of new core processes along with clarified roles and responsibilities over the past year. As such, through discussions with OIC management, it was agreed that the initial focus for internal audit services would be in conducting internal audits which provide ‘just-in-time’ feedback on new/maturing processes, in order to maximize value of internal audit to the OIC. As the Internal Audit function and OIC’s newly developed processes mature, the internal audit focus can shift to conducting more compliance-based engagements, as appropriate. Note that this approach is consistent with the Internal Audit Charter.

As required by the TB Directive on Departmental Audit Committees, the risk-based internal audit plan will be presented to the new independent audit committee for their review and recommendation to the Commissioner.  

Top of Page

2. Identified Key Risks

The following summarizes the key risks facing the organization which were identified through interviews with OIC management:

• Effectiveness of a) solutions to address inventory, and b) new and existing investigative processes: During interviews with OIC management, the effectiveness and efficiency of the complaints investigation process was noted as an area of risk. Specifically, the ability of the OIC to effectively and efficiently investigate access complaints has been challenged by the large increase in complaints received over the last year, mainly due to the increase in the number of federal organizations subject to the Access to Information Act. The increase in the number of complaints has created pressure on OIC’s capacity to investigate and resolve cases and has resulted in large inventories of in-process cases and cases that have not yet been initiated. In order to deal with the increase in complaints and to reduce the complaints inventory, the Complaints Resolution and Compliance Branch has developed a strategy that includes the development of an early intake resolution process. As with any new process, there are risks related to appropriate design of controls within the process, provision of training and communications to stakeholders, development of performance measures to track results, etc. Along with the new process developed, ensuring an effective and efficient investigation process after the early resolution intake was noted as being equally important. If this is not completed appropriately, the OIC faces risks in regards to its ability to deliver on its mandate effectively.

• Ability to recruit and retain staff: OIC is currently facing difficulties in recruiting and retaining qualified ATI investigators. Interviews with OIC management indicated that there are challenges finding qualified and experienced investigators as a result of increased demand for ATIP officers across the federal public sector. It should be noted that while budget for additional investigators was made available to the OIC, the OIC has not been able to staff many of the vacant investigator positions due to a lack of qualified investigators in the marketplace. This condition puts an increased burden on the OIC’s ability to effectively investigate and reduce the inventory of ATI complaints. Capacity issues were also noted in other areas such as Parliamentary Relations, Policy, Communications, Finance, Human Resources, and in IM/IT as interviewees noted that current FTE’s are insufficient to manage workload requirements. Another staffing risk noted was instances of “single-point-of-failure” (i.e. situations where the majority of corporate knowledge in a particular area is concentrated with a single individual, without adequately documented procedural information; if that person was unavailable, OIC would face challenges in continuing operations in the area). Note that work related to staffing risks is currently underway with OIC including an A-Base review and an IM/IT business case that is being developed for TBS submission.

• Effectiveness of OIC’s information management/information technology (IM/IT) environment: OIC currently conducts business under multiple separate IT environments (an internal, external, legal and financial environment). The multiple environments create inefficiencies for OIC staff in the conduct of day-to-day operations. In addition, the sharing and hosting of the financial IT environment by the Office of the Privacy Commissioner (OPC) creates additional risks for OIC’s Finance unit and has recently led to challenges with accessing financial information. Moreover, the case management and document management applications used by both Complaints Resolution and Compliance Branch and Legal Services Branch are custom-developed applications that have been difficult from a user perspective, difficult to maintain from an IT perspective, and are also at the end of their useful life. These challenges represent key risks for OIC in being able to effectively execute on its business processes. It should be noted that in order to better meet OIC IM/IT requirements, IT management has recently hired a consultant to develop a long term IM/IT Plan and develop a business case for increased funding.

• Appropriate information management practices: Related to the IM/IT issues noted above, the OIC does not currently have effective organization-wide policies and practices with respect to information management. This exposes OIC to significant reputation risk given that the Office advocates and promotes high standards for information management as an enabler to effective management of ATI requests. In addition to this broad organization-wide risk, as part of their mandate, the OIC is often in possession of other government departments’ and agencies’ confidential and designated information that must be appropriately safeguarded. The inappropriate disclosure of sensitive information due to a security breach and/or inappropriate information management practices by OIC could seriously damage OIC’s standing with other government departments, members of parliament and the public at large. In addition to safeguarding classified and designated information, OIC must also ensure that the integrity of investigation and legal case documents are maintained and that files are not inadvertently altered or discarded. OIC management have indicated that there are technical issues with both the investigation and legal case management systems that could potentially impact the integrity of OIC documents. Should problems arise in this area, this would be a key risk for the organization.

• Ability to respond to Access to Information (ATI) requests: Since April 1, 2007, the OIC itself has been subject to requirements of the Access to Information Act. Given challenges being faced with IM/IT and given that newly developed processes are being implemented, there are increased risks with regards to meeting ATI standards. ATI requests made to the OIC can also be more complex than those received by other federal organization because the OIC is often receiving requests about current or recent investigations and extra due diligence is required to ensure that information is not inappropriately released prior to the completion of the investigative process and communications to the stakeholders involved in the investigation. In addition, due to the OIC’s mandate, it is important that the OIC’s own practices being on the leading-edge such that they represent a model for other federal organizations to follow. Failure to meet ATI requirements and demonstrate leading practices represents a serious reputation risk for the OIC.

• Compliance with federal regulations and policies: As with all federal departments and agencies, OIC is subject to a number of federal government regulations and policies. As a small organization, OIC may face difficulties in achieving compliance due to it’s small size and resource base. In addition, through the Federal Accountability Act, the Information Commissioner’s accountability for compliance with policy and regulation has been heightened with the designated Accounting Officer role and the obligation to appear before Parliamentary Committee, if requested. Examples of policy non-compliance have already been identified in the area of human resources and compensation through the OAG annual audit for the fiscal year 2006-07. Non-compliance with regulations and policies is an ongoing risk faced by all government departments and agencies, including the OIC. An added complexity in the area of compliance with federal regulations and policies is the requirement for the OIC to maintain independence from Treasury Board. An Officers of Parliament working group is tasked with reviewing new policy requirements to determine whether the requirements impact the independence, or the perception of independence, of Officers of Parliament. It should be noted that the OIC has ongoing discussions with Treasury Board Secretariat regarding existing policies and, as part of policy suite renewal, regarding the applicability of policies for Officers of Parliament.

• Change Management: The OIC has changed dramatically over the past year (in areas such as structure, processes, etc.) and based on current initiatives, this is expected to continue. When change is not formally managed, the controls required to achieve the outcomes intended, and the reinforcement needed to ensure that the changes are sustained may not be in place. In addition, change can result in un-intended consequences that can be detrimental to the organization and its’ ability to achieve objectives.

Top of Page

3. Risk-based Audit Plan

The RBAP for the 2008 – 2010 timeframe is summarized in the table below. Audits/reviews were selected based on the key risks identified through the risk-based audit planning process and described in Section 2. Audits/reviews have been identified such that there is an opportunity for sufficient coverage to meet management’s requirements for ensuring that there is an adequate internal control environment in relation to identified risks. However, it is understood that resource constraints may preclude the organization from undertaking all audits identified and that the Audit Committee reserves the right to select the audit coverage as deemed appropriate.

It should also be noted that the audits/reviews recommended for conduct over the next 3 years have been selected based on the principles outlined within the Internal Audit Charter.

3.1 2008-2010 Audit Activities

Audit Activity	Description	Planning Year			Audit Rationale
		Year 1	Year 2	Year 3
Audit of the inventory assessment and strategic case management processes put in place to address the pre-April 01, 2008 inventory	Audit of the inventory assessment and strategic case management processes to determine whether the processes have been designed appropriately and are working effectively. The engagement will provide an opportunity for an independent review of the new processes to provide feedback on areas working well and areas for improvement. The scope of the audit will include: Appropriateness of the risk management protocols and internal controls established within the processes; Effectiveness of training and communication conducted in implementing the new processes; Effectiveness of change management controls needed to ensure change is accepted, sustained, and delivers the results intended; and, Appropriateness of performance measurement protocols put in place to provide ongoing feedback on the process.				The new inventory assessment and strategic case management processes are critical for the OIC in resolving issues related to the complaints inventory which has become the pre-occupation of OIC stakeholders including Parliament and Treasury Board. These new processes will also be critical input to establishing a sustainable process going forward. As with all new processes, there are design and implementation risks which would benefit from an independent review for feedback.
Audit of the early intake and the complaints resolution and compliance processes put in place to deal with the post-April 2008 cases	The audit would assess the management risk and control framework in place within the early intake and the complaints resolution and compliance processes. The audit would also identify potential areas for process improvement and the extent to which lessons learned from dealing with the pre-April 2008 inventory have been leveraged. The audit would address: Appropriateness of the internal controls established within the processes; Review of oversight/governance practices with regards to investigations; Appropriateness of documentation management and reporting; and, Effectiveness of change management controls needed to ensure change is accepted, sustained, and delivers the results intended.				The effectiveness of the early intake and the complaints resolution and compliance processes are key activities for the OIC in fulfilling its mandate. Effective processes in this area are crucial to ensuring timely management of cases as they are received, application of appropriate due diligence, and mitigating the risk of new inventories building up over time. A risk-based approach to allocating resources within the processes supports effective and efficient operations. These core process should be subject to independent audit review periodically.
Audit of HR processes and service delivery model	The audit would review OIC’s key HR processes and service delivery model with particular focus on: Appropriateness of plans and practices for recruitment and retention; Suitability of approach to training and development; Implementation of practices such as succession planning, recognition/ rewards programs, etc. Note that the scope of this audit will not include compliance with HR regulations, given the Office of the Auditor General’s and the Public Service Commission’s recent work in this area.				Given the challenges being faced by OIC in attracting and retaining qualified and experienced resources, an independent review of HR practices in this area may be beneficial.
Review of IM/IT strategy implementation	Following the IM/IT strategy work currently being undertaken by OIC, and assuming the IM/IT business case is approved, this review will assess the appropriateness of OIC’s management plan to improve IM/IT practices within the organization. The review will assess progress made to date and identify any apparent roadblocks or risks which may hinder the organization’s ability to address identified IM/IT challenges. Lastly, this audit will review the effectiveness of change management controls needed to ensure change is accepted, sustained, and delivers the results intended.				Interviews with OIC management have indicated that the IM/IT environment within OIC is a barrier to the conduct of effective business operations. While a high level IT assessment, plan and business case are currently underway, it will be critical that OIC act on the developed strategy in an appropriate manner to address identified IM/IT challenges. This review will provide independent feedback to the Audit Committee on management’s progress in dealing with this area.
Review of information management and access to information processes	A high-level review of OIC information management practices to ensure information is appropriately safeguarded and policies and procedures for the handling of sensitive information exist. The review will focus on: Information management handling practices, policies and procedures; IT security related safeguards; Document retention and data integrity for investigative and legal information; and Access to information request handling. Effectiveness of change management controls needed to ensure change is accepted, sustained, and delivers the results intended.				Appropriate information management is key for the OIC in terms of maintaining the confidence of other government departments and agencies, parliament and the public at large. In addition, ensuring that investigation and legal information is accurate, complete, and unaltered is critical to the substantiation of results.
Audit of Select Entity Level Controls (ELC)	Audit of OIC’s key high-level management controls to ensure the “tone from the top” is appropriate to promote a sound environment for internal controls. The audit scope will cover the organization’s approach to: Values & Ethics; Governance; Planning; Risk Management; and Policy Management..				Entity level controls or “tone from the top” is considered a crucial enabler for an effective internal control environment, especially in today’s environment of increased accountability and transparency. An independent review of key practices across a variety of entity-level control areas would be beneficial.
Audit Support Activities
Attendance at Meetings and Presentations	Attend select management meetings and Audit Committee Presentations.				Required to maintain a visible presence within OIC and to report audit findings to the Audit Committee.
Audit Planning Activities	Conduct activities required to update the internal audit plan on an annual basis.				Required to ensure that scheduled audits are still relevant and to identify other audit priorities as they arise.
Follow-up Audit Activities	Conduct follow-up on previous internal audits to determine whether recommendations have been appropriately addressed by management.		TBD	TBD	Required to ensure recommendations have been appropriately addressed by management.

Top of Page

Appendix A – Audit Charter

Office of the Information Commissioner of Canada

INTERNAL AUDIT CHARTER

MISSION AND SCOPE OF WORK

The mission of Office of the Information Commissioner of Canada’s (OIC’s) Internal Audit function is to provide independent, objective assurance and consulting services designed to add value and improve the organization’s operations. It helps the organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

The scope of work of the internal auditing department is to determine whether the organization’s network of risk management, control, and governance processes, as designed and represented by management, is adequate and functioning in a manner that ensures:

• Risks are appropriately identified and managed;
• Interaction with the various governance groups occurs as needed;
• Significant financial, managerial, and operating information is accurate, reliable, and timely;
• Employee’s actions are in compliance with policies, standards, procedures, and applicable laws and regulations;
• Resources are acquired economically, used efficiently, and adequately protected;
• Programs, plans, and objectives are achieved;
• Quality and continuous improvement are fostered in the organization’s control process; and,
• Significant legislative or regulatory issues impacting the organization are recognized and addressed properly.

Due to the fact that Internal Audit is a new function within the OIC, and that the organization is undergoing major transformations, the initial focus for internal audit services will be in conducting internal audits which provide ‘just-in-time’ feedback on new/maturing processes, in order to maximize value of internal audit to the OIC. As the Internal Audit function and OIC’s newly developed processes mature, the internal audit focus can shift to conducting more compliance-based engagements, as appropriate.

The Internal Audit Charter is an essential component of the internal audit regime and the following is reflective of the TB Policy on Internal Audit and the Joint Agreement of the Working Group of Officers of Parliament. The Working Group of Officers of Parliament have agreed that the intent of the government’s Internal Audit Policy shall be reflected in the Internal Audit systems, processes and infrastructure within each Office of Parliament while respecting their independence from the Government and taking into account their relatively small size and the oversight role played by the Parliamentary Advisory Panel on the funding of Officers of Parliament.

ACCOUNTABILITY

The Internal Audit function, in the discharge of its duties, shall be accountable to the Commissioner and the Audit Committee to:

• Provide an assessment on the adequacy and effectiveness of the organization’s processes for controlling its activities and managing its risks in the areas set forth under the mission and scope of work.
• Report significant issues related to the processes for controlling the activities of the organization including potential improvements to those processes, and provide information concerning such issues through resolution.
• Provide information periodically on the status and results of the annual audit plan and the sufficiency of internal audit resources.
• Coordinate with other internal and external control and monitoring functions (e.g. risk management, security, external audit).

INDEPENDENCE

To provide for the independence of the Internal Audit function, it will report administratively to the Assistant Commissioner, Policy, Communications and Operations and functionally to the Commissioner and Audit Committee. Functional reporting includes the ability of the Internal Audit function to routinely meet with the Audit Committee Chair, conduct in-camera sessions with the Audit Committee, have the Audit Committee recommend approval of the Internal Audit charter and annual plan to the commissioner, and have the Audit Committee involved in any appointment/removal decisions regarding the Chief Audit Executive. Administrative reporting relates to the relationship that facilitates the day-to-day operations of Internal Audit and includes activities such as internal communications and coordination, audit engagement coordination and status reporting.

RESPONSIBILITY

The Internal Audit function has responsibility to:

• Develop a flexible annual audit plan using an appropriate risk-based methodology, including any risks or control concerns identified by Management and/or the Audit Committee, and submit that plan to the Audit Committee for review and recommendations for approval.
• Implement the annual audit plan, as approved, including, and as appropriate, any special tasks or projects requested by Management and/or the Audit Committee.
• Coordinate its activities with the external auditors to ensure appropriate sharing of information, and alignment of efforts to avoid duplication.
• Maintain a professional audit staff with sufficient knowledge, skills, experience, and professional certifications to meet the requirements of this charter.
• Establish a quality assurance program for the operation of Internal Audit activities.
• Evaluate and assess significant changes to the organization which may impact Management’s ability to achieve its objectives coincident with their development, implementation, and/or expansion.
• Issue periodic reports to the Audit Committee and Management summarizing results of audit activities.
• Keep the Audit Committee informed of emerging trends and successful practices in internal auditing.
• Assist in the investigation of significant identified/suspected fraudulent activities within the organization and notify the Commissioner and the Audit Committee of the results.
• Consider the scope of work of the external auditors, as appropriate, for the purpose of providing optimal audit coverage to the organization at a reasonable overall cost.

AUTHORITY

The Internal Audit function (Deloitte) is authorized to:

• Have unrestricted access to all functions, records, property, and personnel and have the right to obtain information and explanations from office employees and contractors, subject to applicable legislation.
• Have full and free access to the Audit Committee.
• Allocate resources, set frequencies, select subjects, determine scopes of work, and apply the techniques required to accomplish audit objectives.
• Obtain the necessary assistance of personnel in units of the organization where they perform audits, as well as other specialized services from within or outside the organization.

In support of these authorities, the OIC has dedicated a resource, the Director of Internal Audit and Planning, to act as a liaison who can facilitate access for Deloitte as described above. The Director will not however, perform any of the responsibilities of the Internal Audit function.

The Internal Audit function (Deloitte) is not authorized to:

• Perform any operational duties for the organization.
• Initiate or approve accounting transactions external to the Internal Audit function.
• Direct the activities of any organization employee not employed by the Internal Audit function, except to the extent such employees have been appropriately assigned to auditing teams or to otherwise assist the Internal Audit function.

OPERATING MODEL

The OIC has decided to outsource the Internal Audit function and has assigned Deloitte & Touche LLP (“Deloitte”) as their outsourced Chief Audit Executive (hereafter “CAE”).

Internal Audit will conduct audit activities in accordance with this Audit Charter and will work with the Audit Committee to ensure audit plans allow for appropriate audit coverage and on-site presence/visibility within the OIC and to allow appropriate access by the OIC staff to the Internal Audit function, as required.

In order to keep sufficiently abreast and informed of OIC activities, the CAE or delegate should be invited to attend OIC Management meetings (in a capacity as an observer), be informed of key OIC email distributions, and be listed on OIC’s telephone directory.

The Audit Committee should formally revisit the outsourced Internal Audit function model periodically to ensure it is serving the OIC’s requirements appropriately.

STANDARDS OF AUDIT PRACTICE

The Internal Audit function will meet or exceed the Government of Canada’s Policy on Internal Audit and standards, including the International Standards for the Professional Practice of Internal Auditing of The Institute of Internal Auditors when conducting internal audit engagements. 

APPROVALS